Our previous post showed the limitations of traditional software-driven security approaches, regardless of whether they’re applied to endpoints, event logs, services or other enterprise components. It’s clear that gaps exist within an endpoint or logs-only approach; that’s why a more granular read of your actual network traffic is what will provide a better layer of security that detects and defends against cyber threats.
But we’ve seen how network traffic analysis is also a lot more complicated, so let’s dive into some common challenges when implementing such strategies, and how to overcome them.
The Problem of Scale
Perhaps the biggest hurdle in network traffic analysis is the sheer volume, velocity and variety of data streaming across the network. Event logs and other software-driven insights that make their way to analyst’s dashboard are distillations of what the software deems to be potentially malicious — summaries of much larger amounts of data which can be corrupted and altered. The worst case scenario is you may be essentially blind to the threat. In committing, as we must, to the collection and analysis of the raw network data, we encounter big challenges involving scale.
Many companies leverage some package visibility infrastructure like Gigamon or APCOM — physical and virtual network visibility technologies that may include network TAP components, aggregation products, traffic manipulation applications and visibility fabric nodes for their internet-facing (north-south) traffic. However a substantial amount of network communications in many organizations is the intra-network (east-west) traffic within an enterprise between users, endpoints and other assets.
A perimeter-only approach is insufficient, and attackers know this. For example, an attacker who leverages compromised credentials and then uses legitimate means to access your network is extremely difficult to identify by only examining north-south traffic. Capturing east-west traffic is critical to providing additional visibility for detection purposes, and many mature enterprises have done so. But why have organizations not been more successful in detecting advanced threats?
At this point, we’re still only part of the way to success. While being a completist on data collection may be useful on its own for compliance and after-the-fact forensics, it’s only a foundational step for proactive cybersecurity. You still need to find the trends and patterns hidden inside the data. “Granular insights,” in other words, is an oxymoron without the power to analyze what you’ve gathered.
Success Requires Powerful Data Collection and Analysis
Ultimately, effective and proactive cybersecurity requires both the collection of network traffic data and the shrewd interpretation of that data for subtle clues about a threat actor’s presence, targets and methods for attack within the system. This requires powerful and agile solutions that strategically combine advanced behavioral analytics, machine-learning techniques and artificial intelligence methods with strategic involvement of human analysts to reap actionable insights at the scale of the enterprise.
Few security partners can protect at the scale of a Fortune 500; it requires the ability to monitor many networks simultaneously, strong capabilities for analyzing east-west traffic, and sophisticated algorithms that adjust for evasive techniques. For instance, to fight beaconing malware, you’d want your algorithms to actually examine a stream of traffic and automatically determine beacon intervals by itself to help surface the threat. Throughout, your analyst team should be diverse, with both elite data scientists and offensive and defensive cyber experts.
These are just some of the priorities that go into the most effective approach to cybersecurity a company can take. Ultimately, network traffic-based cybersecurity is all about making the right connections between the right data in real time. And we’ve written before on how organizations gain even more visibility when they make such connections industry-wide in a collective cyber-defense model.
Finally, as we’ll see in some future posts, our best cyber defense posture involves looking beyond just what’s happening industry-wide today. It’s time to look further into the future — anticipating and protecting against emerging cyber threats that will pose the greatest dangers months or even years down the road.